Date: Thu, 10 Oct 2019 14:29:37 -0400 From: David Cross <dcrosstech@gmail.com> To: Warner Losh <imp@bsdimp.com> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: uefisign and loader Message-ID: <CAM9edePsJuv-Vouc7RuBNpzEDUY2LE-q8Gs_xpyWrzZvSwxF5g@mail.gmail.com> In-Reply-To: <CAM9edeP%2BbvKzOuuGMXLvgczzkaDCCuDJdH7C%2BnRanXp=3w6Fdg@mail.gmail.com> References: <CAM9edeOTrNev=izkp2R3C5A0geHRe51m71BPn1OrXSn_QWFaGQ@mail.gmail.com> <CANCZdfqdbKgRqF7AhsfjNwQdzbwA7uSuQoWzWvHQrwkJ2p4AXg@mail.gmail.com> <CAM9edeP%2BbvKzOuuGMXLvgczzkaDCCuDJdH7C%2BnRanXp=3w6Fdg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, it appears uefisign is just outright broken; after not being able to
boot even boot1 signed, I brought the signed image over to windows and used
signtool verify and got the error message:
"SignTool Error: WinVerifyTrust returned error: 0x80096010
The digital signature of the object did not verify."
This is a different error then I get form SignTool boot1.efi from an
untrusted cert (signed via SignTool) which reports:
"..A certificate chain processed, but terminated in a root certificate
which is not trusted..."
Anyone actually use uefisign successfully?
On Mon, Oct 7, 2019 at 9:29 AM David Cross <dcrosstech@gmail.com> wrote:
>
>
> On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <imp@bsdimp.com> wrote:
>
>>
>>
>> On Sun, Oct 6, 2019, 10:58 PM David Cross <dcrosstech@gmail.com> wrote:
>>
>>> I've been working on getting secureboot working under freebsd (I today
>>> just
>>> finished off a REALLY rough tool that lets one tweak uefi authenticated
>>> variables under freebsd, with an eye to try to get a patch to put this
>>> into
>>> efivar). After setting the PK, the KEK, and the db, I was super excited
>>> to
>>> finally secure-boot my machine, and discovered that I could not uefisign
>>> loader. Attempting to sign loader returns a cryptic: "section points
>>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
>>> under 12.0 FWIW).
>>>
>>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so
>>> its
>>> not really useful for me.
>>>
>>> Suggestions?
>>>
>>
>> Use loader.efi directly instead?
>>
>>>
>>>
> I currently do use loader.efi directly, however not being able to sign
> loader.efi directly complicates things a bit (using hash based signature
> lists for the 'db' variable); and it seems we *should* be able to sign
> loader. From some other posts on the internet it seems that at some point
> we could.
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM9edePsJuv-Vouc7RuBNpzEDUY2LE-q8Gs_xpyWrzZvSwxF5g>